When does Windows Installer uses elevated privileges?

A. You can use a tool such as Group Policy to perform a managed installation of a Windows Installer file or you can manually install a Windows Installer file. Some applications that you install with a Windows Installer file require elevated privileges to access file system areas or registry keys. When you use a tool such as Group Policy to install a Windows Installer file that deploys an application to a user's system, the application runs with elevated privileges (e.g., system permissions) that bypass the user's limited permissions. However, when a user uses a Windows Installer file to install an application manually, the installation is limited by that user's current privilege level, which might cause some installations to fail.

You can configure a system to run all Windows Installer installations, including manual installations, with elevated privileges. However, doing so carries the risk that a skilled user could use the elevated privileges to access areas of the system that would otherwise be protected. For information on how to configure all Windows Installer installations to use elevated privileges, see the FAQ "How can I configure all Windows Installer installations to run with elevated privileges?" below.

If you enable a Group Policy Object (GPO) to let all installations run with elevated privileges, be aware that if you install an application on a per-machine basis (i.e., all users on that machine can use it), any repair operations performed for that application will run with elevated privileges, even if you remove the GPO. If, however, you install an application on a per-user basis, then remove the GPO, any attempts to repair that application might fail because the elevated privileges no longer apply.